Employees are put into one of these groups and the groups are given access to various shares (Admin has universal access):

Account Dept Share – Accounting

Sales Dept Share – Sales

The Problem

In time we started getting a lot of file access errors. There didn’t seem to be much rhyme or reason, but various uses could or couldn’t read or write to various directories. By the time we got around to fixing the issue, accessibility was a mess.

Troubleshooting

First I checked the security settings in ReadyNAS Frontview. Each share was set something like this:

To the best of my knowledge, these setting were right.
Next I checked the permissions of the files on the NAS. I logged in via SSH as the root user and navigated through the shares to examine the permission settings. I also had a user beside me creating files and directories in the locations I was interested in so I could see how permissions were set when a file or directory was created or modified.

Deductions

Every file or directory being created belonged to the user and the user’s default group. If the user was in multiple groups (like the admin) there were problems:

admin defaults to the Admin group: admin’s files could not be accessed by anyone who was not also in the Admin group.

admin defaults to the Accounting group: admin’s files could be accessed fine by other people in the Accounting group, but not by anyone in the Sales group.

admin defaults to the Sales group: admin’s files could be accessed fine by other people in the Sales group, but not by anyone in the Accounting group.

What Could be Done?

1) One way to do this would be to set every user’s default group to the same group (say, “users”) and assign any other groups as secondary groups. Accountants would have Accounting as a secondary group, and would therefore have access to the Accounting Dept Share. Once inside the share, all files and directories would be assigned to all users so anyone with access to the share would have access to it all.

2) Another way to do this would be to set the Group ID bit for the share directory. When the Group ID bit is set all new files and directories created within it are assigned to the parent directory’s group. That way, it doesn’t matter what the admin’s default group is. If they create a file or directory in the Sales Dept Share it will belong to the Sales group. The downside to this setup is that it can easily be undone. If someone gets in to ReadyNAS Frontview and saves the share settings with “Set ownership and permission for existing files and folders . . .” checked, the Group ID bit gets unset.

This is how you set the Group ID bit for a folder via the command line:

Give it a shot. It shouldn’t hurt anything and should be easy to undo if it doesn’t work.

Conclusion

If I were setting this ReadyNAS up for the first time and had the foresight to anticipate this problem in the future, I’d probably use the first solution and set everyone to the user’s group by default. Because there was already so much directory infrastructure in place (and I’ve had complications editing file ownership directly via the command line), I opted to leave all that in place and use the second solution. It’s working well for the time being. If I have to go through and reconfigure the Group ID bit too often I just might end up converting to method 1.

Here’s the command I used to traverse a share directory recursively and set the Group ID bit:

#> find . -type d -exec chmod g+s {} \;

It finds all the directories below the current one and applies the chmod which adds the “s” to the group.